NBFC Registration
NBFC

RBI Master Direction on Information Technology Framework

RBI Master Direction on Information Technology Framework

The NBFC (Non-Banking Finance Company) segment has grown up in size & complexity over the ages. The NBFC (Non-Banking Finance Company) industry develops & attains measure, its Information Technology /Information Security (IT/IS) structure, Business Continuity Planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. must be benchmarked to best practices.

In accordance with the directions on IT Structure for the NBFC sector that is predicted to recover safety, security, efficiency in events leading to aids for NBFCs and their clients are enclosed. NBFCs may have already executed or maybe implementing some of the requirements indicated in the circular. NBFCs are therefore required to conduct a formal gap analysis between their current status and stipulations as laid out in the circular and put in place a time-bound action plan to address the gap and comply with the guidelines.

The emphasis of the projected IT framework is on IT Governance, IT Policy, Information & Cyber Security[1], IT Operations, IS Audit, Business Continuity Planning & IT Services Outsourcing. The directives are characterized by two parts, those which are applicable to all NBFCs with asset size above ₹ 500 crores (Considered Systemically Important) are provided in Section-A. Directions for NBFCs with asset size below ₹ 500 crores are provided in Section-B of the regulation framed by the RBI.

IT Governance for NBFC

IT Governance is a vital part of Corporate Governance (CG)[2]. It contains management support, administrative structure & processes to safeguard that the NBFC’s IT withstands & ranges business approaches & objects. Effective IT Governance is the obligation of the Board of Directors & Executive Management.

Definite roles & responsibilities of Board and Senior Management are critical while implementing IT Governance. Clearly-defined roles permit actual project control. IT Governance Stakeholders comprise Board of Directors, IT Strategy Committees, CEOs, Business Executives, Chief Information Officers (CIOs), Chief Technology Officers (CTOs), IT Steering Committees, Chief Risk Officer & Risk Committees.

The simple principles of value delivery, IT Risk Management, IT resource management & performance management must form the basis of the governance framework. IT Governance has continuous life-cycle. It’s a procedure in which IT strategy drives the procedures, using resources essential to perform responsibilities.

IT Strategy Committee in NBFC

NBFCs are obligatory to form an IT Strategy Committee. The chairman of the committee shall be an independent director and CIO & CTO should be a part of the committee. The IT Strategy Committee should meet at an appropriate frequency but not more than 6 months should elapse between 2 meetings. The Committee will work in partnership with other Board committees & Senior Management to provide input to them. It will also carry out the review & amend the IT strategies in line with the corporate strategies, Board Policy reviews, cybersecurity arrangements & any other matter related to IT Governance.

Some of the roles and responsibilities comprise, Approving IT strategy & policy documents & ensuring that the management has put an effective strategic planning process in place; ascertaining that management has implemented processes & practices that confirm that the IT delivers value to the business; ensuring IT investments represent a balance of risks & benefits and that budgets are acceptable; monitoring the method that management uses to determine the IT resources needed to achieve strategic goals and provide high-level direction for sourcing and use of IT resources; ensuring proper balance of IT investments for sustaining NBFC’s growth and becoming aware of exposure towards IT risks and controls.

Require IT Policy for BFC

NBFCs may formulate a Board approved IT policy, in line with the objectives of their organization comprising the subsequent. An IT administrative structure commensurate with the size, scale and nature of business activities carried out by the NBFC; NBFCs may designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT operations whose responsibility is to ensure implementation of IT Policy to the operational level involving IT strategy, value delivery, risk management and IT resource management.

To ensure technical competence at senior/middle level management of NBFC, periodic assessment of the IT training requirements should be formulated to confirm that sufficient, competent and capable human resources are available.

Applicability of IT Governance in NBFC

The instructions have been characterized into 2 parts:

  • Directions applicable to all NBFCs with asset size above ₹ 500 crores (Considered Systemically Important) are provided in Section-A
  • Directions for NBFCs with asset size below ₹ 500 crores are provided in Section-B.

Section A: systemically important NBFCS i.e. with asset size above ₹ 500 crore 

The importance of the strategic IT framework is on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning, and IT Services Outsourcing.

Who shall be responsible for the implementation of effective IT Governance?

Board of Directors and Executive Management – Well-defined roles and responsibilities to enable effective project control

Who are the IT Governance Stakeholders?

  • Board of Directors
  • IT Strategy Committees
  • CEOs
  • Business Executives
  • Chief Information Officers (CIOs)
  • Chief Technology Officers (CTOs)
  • IT Steering Committees

(Operating at an executive level and focusing on priority setting, resource allocation, and project tracking)

  • Chief Risk Officer and Risk Committees
  • Formation of an IT Strategy Committee
  • Chairman of the Committee – An independent director
  • Other Members – CIO & CTO
  • Frequency of Meeting – An appropriate frequency with a maximum gap of 6 months between two meetings

Role of the Committee

  • Providing input to other Board committees and Senior Management
  • Carrying out the review and amending the IT strategies in line with the corporate strategies, Board Policy reviews, cyber security arrangements and any other matter related to IT Governance
  • Approving IT strategy and policy documents and ensuring that the management has put an effective strategic planning process in place
  • Ascertaining that management has implemented processes and practices that ensure that the IT delivers value to the business
  • Ensuring IT investments represent a balance of risks and benefits and that budgets are acceptable
  • Monitoring the method that management uses to determine the IT resources needed to achieve strategic goals and provide high-level direction for sourcing and use of IT resources
  • Ensuring the proper balance of IT investments for sustaining NBFC’s growth and becoming aware of exposure towards IT risks and controls.

Section B: Directions for NBFCs with asset size below ₹ 500 crore

It is recommended that smaller NBFCs may start with developing basic IT systems mainly for maintaining the database. NBFCs having asset size below ₹ 500 crores shall have a Board approved Information Technology policy/Information system policy. The IT systems shall have:

  • Basic security aspects such as physical/ logical access controls and well-defined password policy
  • A well-defined user role
  • A Maker-checker concept to reduce the risk of error and misuse and to ensure the reliability of data/information
  • Information Security and Cyber Security
  • Requirements as regards Mobile Financial Services, Social Media, and Digital Signature Certificates
  • System-generated reports for Top Management summarizing financial position including operating and non-operating revenues and expenses, cost-benefit analysis of segments/verticals, cost of funds, etc.
  • Adequacy to file regulatory returns to RBI (COSMOS Returns)
  • A BCP policy duly approved by the Board ensuring regular oversight of the Board by way of periodic reports (at least once every year)
  • Arrangement for backup of data with periodic testing
  • IT Systems should be progressively scaled up as the size and complexity of NBFC’s operations increases.
Narendra Kumar

Experienced Finance and Legal Professional with 12+ Years of Experience in Legal, Finance, Fintech, Blockchain, and Revenue Management.

NBFC Registration

Trending Posted

Our Awards Our Awards

Top 100 Companies in Asia - Red Herring
Top 100 Companies in Asia - Red Herring

Red Herring Top 100 Asia enlists outstanding entrepreneurs and promising companies. It selects the award winners from approximately 2000 privately financed companies each year in the Asia. Since 1996, Red Herring has kept tabs on these up-and-comers. Red Herring editors were among the first to recognize that companies such as Google, Facebook, Kakao, Alibaba, Twitter, Rakuten, Salesforce.com, Xiaomi and YouTube would change the way we live and work.

Top 25 in India - Consultants Review

Researchers have found out that organization using new technologies in their accounting and tax have better productivity as compared to those using the traditional methods. Complying with the recent technological trends in the accounting industry, Enterslice was formed to focus on the emerging start up companies and bring innovation in their traditional Chartered Accountants & Legal profession services, disrupt traditional Chartered Accountants practice mechanism & Lawyers.

Top 25 in India - Consultants Review

In the news